Analytics Story: AwfulShred

Date: 2023-01-24 ID: e36935ce-f48c-4fb2-8109-7e80c1cdc9e2 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.

Why it matters

AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Auditd Data Destruction Command Data Destruction TTP
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Linux Auditd Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Stop Services Service Stop TTP
Linux Data Destruction Command Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Disable Services Service Stop TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Hunting
Linux Indicator Removal Clear Cache Indicator Removal TTP
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Stop Services Service Stop TTP
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Execve Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Service Stop Linux icon Linux linux:audit /var/log/audit/audit.log
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 1